Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (Text with EEA relevance)
460/2004 • 32004R0460
Legal Acts - Regulations
- 102 Inbound citations:
- •
- 3 Cited paragraphs:
- •
- 69 Outbound citations:
Avis juridique important
Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (Text with EEA relevance) Official Journal L 077 , 13/03/2004 P. 0001 - 0011
Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (Text with EEA relevance) THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION, Having regard to the Treaty establishing the European Community, and in particular Article 95 thereof, Having regard to the proposal from the Commission, Having regard to the opinion of the European Economic and Social Committee(1), After consulting the Committee of the Regions, Acting in accordance with the procedure laid down in Article 251 of the Treaty(2), Whereas: (1) Communication networks and information systems have become an essential factor in economic and societal development. Computing and networking are now becoming ubiquitous utilities in the same way as electricity or water supply already are. The security of communication networks and information systems, in particular their availability, is therefore of increasing concern to society not least because of the possibility of problems in key information systems, due to system complexity, accidents, mistakes and attacks, that may have consequences for the physical infrastructures which deliver services critical to the well-being of EU citizens. (2) The growing number of security breaches has already generated substantial financial damage, has undermined user confidence and has been detrimental to the development of e-commerce. Individuals, public administrations and businesses have reacted by deploying security technologies and security management procedures. Member States have taken several supporting measures, such as information campaigns and research projects, to enhance network and information security throughout society. (3) The technical complexity of networks and information systems, the variety of products and services that are interconnected, and the huge number of private and public actors that bear their own responsibility risk undermining the smooth functioning of the Internal Market. (4) Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (the Framework Directive)(3) lays down the tasks of national regulatory authorities, which include cooperating with each other and the Commission in a transparent manner to ensure the development of consistent regulatory practice, contributing to ensuring a high level of protection of personal data and privacy, and ensuring that the integrity and security of public communications networks are ensured. (5) Present Community legislation also includes Directive 2002/20/EC(4), Directive 2002/22/EC(5), Directive 2002/19/EC(6), Directive 2002/58/EC(7), Directive 1999/93/EC(8), Directive 2000/31/EC(9), as well as the Council Resolution of 18 February 2003 on the implementation of the eEurope 2005 Action Plan(10). (6) Directive 2002/20/EC entitles Member States to attach to the general authorisation, conditions regarding the security of public networks against unauthorised access in accordance with Directive 97/66/EC(11). (7) Directive 2002/22/EC requires that Member States take necessary steps to ensure the integrity and availability of the public telephone networks at fixed locations and that undertakings providing publicly available telephone services at fixed locations take all reasonable steps to ensure uninterrupted access to emergency services. (8) Directive 2002/58/EC requires a provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard security of its services and also requires the confidentiality of the communications and related traffic data. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(12), requires Member States to provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing. (9) Directive 2002/21/EC and Directive 1999/93/EC contain provisions on standards that are to be published in the Official Journal of the European Union. Member States also use standards from international bodies as well as de facto standards developed by the global industry. It is necessary for the Commission and the Member States to be able to track those standards which meet the requirements of Community legislation. (10) These internal market measures require different forms of technical and organisational applications by the Member States and the Commission. These are technically complex tasks with no single, self-evident solutions. The heterogeneous application of these requirements can lead to inefficient solutions and create obstacles to the internal market. This calls for the creation of a centre of expertise at European level providing guidance, advice, and when called upon, with assistance within its objectives, which may be relied upon by the European Parliament, the Commission or competent bodies appointed by the Member States. National Regulatory Authorities, designated under Directive 2002/21/EC, can be appointed by a Member State as a competent body. (11) The establishment of a European agency, the European Network and Information Security Agency, hereinafter referred to as "the Agency", operating as a point of reference and establishing confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operation, and its diligence in performing the tasks assigned to it, would respond to these needs. The Agency should build on national and Community efforts and therefore perform its tasks in full cooperation with the Member States and be open to contacts with industry and other relevant stakeholders. As electronic networks, to a large extent, are privately owned, the Agency should build on the input from and cooperation with the private sector. (12) The exercise of the Agency's tasks should not interfere with the competencies and should not pre-empt, impede or overlap with the relevant powers and tasks conferred on: - the national regulatory authorities as set out in the Directives relating to the electronic communications networks and services, as well as on the European Regulators Group for Electronic Communications Networks and Services established by Commission Decision 2002/627/EC(13) and the Communications Committee referred to in Directive 2002/21/EC, - the European standardisation bodies, the national standardisation bodies and the Standing Committee as set out in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society Services(14), - the supervisory authorities of the Member States relating to the protection of individuals with the regard to the processing of personal data and on the free movement of such data. (13) To understand better the challenges in the network and information security field, there is a need for the Agency to analyse current and emerging risks and for that purpose the Agency may collect appropriate information, in particular through questionnaires, without imposing new obligations on the private sector or the Member States to generate data. Emerging risks should be understood as issues already visible as possible future risks to network and information security. (14) Ensuring confidence in networks and information systems requires that individuals, businesses and public administrations are sufficiently informed, educated and trained in the field of network and information security. Public authorities have a role in increasing awareness by informing the general public, small and medium-sized enterprises, corporate companies, public administrations, schools and universities. These measures need to be further developed. An increased information exchange between Member States will facilitate such awareness raising actions. The Agency should provide advice on best practices in awareness-raising, training and courses. (15) The Agency should have the task of contributing to a high level of network and information security within the Community and of developing a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the European Union, thus contributing to the smooth functioning of the internal market. (16) Efficient security policies should be based on well-developed risk assessment methods, both in the public and private sector. Risk assessment methods and procedures are used at different levels with no common practice on their efficient application. The promotion and development of best practices for risk assessment and for interoperable risk management solutions within public and private sector organisations will increase the security level of networks and information systems in Europe. (17) The work of the Agency should utilise ongoing research, development and technological assessment activities, in particular those carried out by the different Community research initiatives. (18) Where appropriate and useful for fulfilling its scope, objectives and tasks, the Agency could share experience and general information with bodies and agencies created under European Union law and dealing with network and information security. (19) Network and information security problems are global issues. There is a need for closer cooperation at global level to improve security standards, improve information, and promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security. Efficient cooperation with third countries and the global community has become a task also at European level. To this end, the Agency should contribute to Community efforts to cooperate with third countries and, where appropriate, with international organisations. (20) In its activities the Agency should pay attention to small and medium-sized enterprises. (21) In order effectively to ensure the accomplishment of the tasks of the Agency, the Member States and the Commission should be represented on a Management Board entrusted with the necessary powers to establish the budget, verify its execution, adopt the appropriate financial rules, establish transparent working procedures for decision making by the Agency, approve the Agency's work programme, adopt its own rules of procedure and the Agency's internal rules of operation, appoint and remove the Executive Director. The Management Board should ensure that the Agency carries out its tasks under conditions which enable it to serve in accordance with this Regulation. (22) A Permanent Stakeholders' Group would be helpful, in order to maintain a regular dialogue with the private sector, consumers organisations and other relevant stakeholders. The Permanent Stakeholders' Group, established and chaired by the Executive Director, should focus on issues relevant to all stakeholders and bring them to the attention of the Executive Director. The Executive Director may, where appropriate and according to the agenda of the meetings, invite representatives of the European Parliament and from other relevant bodies to take part in the meetings of the Group. (23) The smooth functioning of the Agency requires that its Executive Director is appointed on the grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for network and information security and that he/she performs his/her duties with complete independence and flexibility as to the organisation of the internal functioning of the Agency. To this end, the Executive Director should prepare a proposal for the Agency's work programme, after prior consultation of the Commission and of the Permanent Stakeholders' Group, and take all necessary steps to ensure the proper accomplishment of the working programme of the Agency, should prepare each year a draft general report to be submitted to the Management Board, should draw up a draft statement of estimates of revenue and expenditure of the Agency and should implement the budget. (24) The Executive Director should have the possibility to set up ad hoc Working Groups to address in particular scientific and technical matters. In establishing the ad hoc Working Groups the Executive Director should seek input from and mobilise the relevant expertise of private sector. The ad hoc Working Groups should enable the Agency to have access to the most updated information available in order to be able to respond to the security challenges posed by the developing information society. The Agency should ensure that its ad hoc Working Groups are competent and representative and that they include, as appropriate according to the specific issues, representation of the public administrations of the Member States, of the private sector including industry, of the users and of academic experts in network and information security. The Agency may, if necessary, add to the Working Groups independent experts recognised as competent in the field concerned. The experts who participate in the ad hoc Working Groups organised by the Agency should not belong to the Agency's staff. Their expenses should be met by the Agency in accordance with its internal rules and in conformity with the existing Financial Regulations. (25) The Agency should apply the relevant Community legislation concerning public access to documents as set out in Regulation (EC) No 1049/2001(15) of the European Parliament and of the Council and the protection of individuals with regard to the processing of personal data as set out in Regulation (EC) No 45/2001(16) of the European Parliament and of the Council. (26) Within its scope, its objectives and in the performance of its tasks, the Agency should comply in particular with the provisions applicable to the Community institutions, as well as the national legislation regarding the treatment of sensitive documents. (27) In order to guarantee the full autonomy and independence of the Agency, it is considered necessary to grant it an autonomous budget whose revenue comes essentially from a contribution from the Community. The Community budgetary procedure remains applicable as far as any subsidies chargeable to the general budget of the European Union are concerned. Moreover, the Court of Auditors should undertake the auditing of accounts. (28) Where necessary and on the basis of arrangements to be concluded, the Agency may have access to the interpretation services provided by the Directorate General for Interpretation (DGI) of the Commission, or by Interpretation Services of other Community institutions. (29) The Agency should be initially established for a limited period and its operations evaluated in order to determine whether the duration of its operations should be extended, HAVE ADOPTED THIS REGULATION: SECTION 1 SCOPE, OBJECTIVES AND TASKS Article 1 Scope 1. For the purpose of ensuring a high and effective level of network and information security within the Community and in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, thus contributing to the smooth functioning of the internal market, a European Network and Information Security Agency is hereby established, hereinafter referred to as "the Agency". 2. The Agency shall assist the Commission and the Member States, and in consequence cooperate with the business community, in order to help them to meet the requirements of network and information security, thereby ensuring the smooth functioning of the internal market, including those set out in present and future Community legislation, such as in the Directive 2002/21/EC. 3. The objectives and the tasks of the Agency shall be without prejudice to the competencies of the Member States regarding network and information security which fall outside the scope of the EC Treaty, such as those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the issues relate to State security matters) and the activities of the State in areas of criminal law. Article 2 Objectives 1. The Agency shall enhance the capability of the Community, the Member States and, as a consequence, the business community to prevent, address and to respond to network and information security problems. 2. The Agency shall provide assistance and deliver advice to the Commission and the Member States on issues related to network and information security falling within its competencies as set out in this Regulation. 3. Building on national and Community efforts, the Agency shall develop a high level of expertise. The Agency shall use this expertise to stimulate broad cooperation between actors from the public and private sectors. 4. The Agency shall assist the Commission, where called upon, in the technical preparatory work for updating and developing Community legislation in the field of network and information security. Article 3 Tasks In order to ensure that the scope and objectives set out in Articles 1 and 2 are complied with and met, the Agency shall perform the following tasks: (a) collect appropriate information to analyse current and emerging risks and, in particular at the European level, those which could produce an impact on the resilience and the availability of electronic communications networks and on the authenticity, integrity and confidentiality of the information accessed and transmitted through them, and provide the results of the analysis to the Member States and the Commission; (b) provide the European Parliament, the Commission, European bodies or competent national bodies appointed by the Member States with advice, and when called upon, with assistance within its objectives; (c) enhance cooperation between different actors operating in the field of network and information security, inter alia, by organising, on a regular basis, consultation with industry, universities, as well as other sectors concerned and by establishing networks of contacts for Community bodies, public sector bodies appointed by the Member States, private sector and consumer bodies; (d) facilitate cooperation between the Commission and the Member States in the development of common methodologies to prevent, address and respond to network and information security issues; (e) contribute to awareness raising and the availability of timely, objective and comprehensive information on network and information security issues for all users by, inter alia, promoting exchanges of current best practices, including on methods of alerting users, and seeking synergy between public and private sector initiatives; (f) assist the Commission and the Member States in their dialogue with industry to address security-related problems in the hardware and software products; (g) track the development of standards for products and services on network and information security; (h) advise the Commission on research in the area of network and information security as well as on the effective use of risk prevention technologies; (i) promote risk assessment activities, interoperable risk management solutions and studies on prevention management solutions within public and private sector organisations; (j) contribute to Community efforts to cooperate with third countries and, where appropriate, with international organisations to promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security; (k) express independently its own conclusions, orientations and give advice on matters within its scope and objectives. Article 4 Definitions For the purposes of this Regulation the following definitions shall apply: (a) "network" means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed; (b) "information system" means computers and electronic communication networks, as well as electronic data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance; (c) "network and information security" means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems; (d) "availability" means that data is accessible and services are operational; (e) "authentication" means the confirmation of an asserted identity of entities or users; (f) "data integrity" means the confirmation that data which has been sent, received, or stored are complete and unchanged; (g) "data confidentiality" means the protection of communications or stored data against interception and reading by unauthorised persons; (h) "risk" means a function of the probability that a vulnerability in the system affects authentication or the availability, authenticity, integrity or confidentiality of the data processed or transferred and the severity of that effect, consequential to the intentional or non-intentional use of such a vulnerability; (i) "risk assessment" means a scientific and technologically based process consisting of four steps, threats identification, threat characterisation, exposure assessment and risk characterisation; (j) "risk management" means the process, distinct from risk assessment, of weighing policy alternatives in consultation with interested parties, considering risk assessment and other legitimate factors, and, if need be, selecting appropriate prevention and control options; (k) "culture of network and information security" has the same meaning as that set out in the OECD Guidelines for the security of Information Systems and Networks of 25 July 2002 and the Council Resolution of 18 February 2003 on a European approach towards a culture of network and information security(17). SECTION 2 ORGANISATION Article 5 Bodies of the Agency The Agency shall comprise: (a) a Management Board; (b) an Executive Director, and (c) a Permanent Stakeholders' Group. Article 6 Management Board 1. The Management Board shall be composed of one representative of each Member State, three representatives appointed by the Commission, as well as three representatives, proposed by the Commission and appointed by the Council, without the right to vote, each of whom represents one of the following groups: (a) information and communication technologies industry; (b) consumer groups; (c) academic experts in network and information security. 2. Board members shall be appointed on the basis of their degree of relevant experience and expertise in the field of network and information security. Representatives may be replaced by alternates, appointed at the same time. 3. The Management Board shall elect its Chairperson and a Deputy Chairperson from among its members for a two-and-a-half-year period, which shall be renewable. The Deputy Chairperson shall ex-officio replace the Chairperson in the event of the Chairperson being unable to attend to his/her duties. 4. The Management Board shall adopt its rules of procedure, on the basis of a proposal by the Commission. Unless otherwise provided, the Management Board shall take its decisions by a majority of its members with the right to vote. A two-thirds majority of all members with the right to vote is required for the adoption of its rules of procedure, the Agency's internal rules of operation, the budget, the annual work programme, as well as the appointment and the removal of the Executive Director. 5. Meetings of the Management Board shall be convened by its Chairperson. The Management Board shall hold an ordinary meeting twice a year. It shall also hold extraordinary meetings at the instance of the Chairperson or at the request of at least a third of its members with the right to vote. The Executive Director shall take part in the meetings of the Management Board, without voting rights, and shall provide the Secretariat. 6. The Management Board shall adopt the Agency's internal rules of operation on the basis of a proposal by the Commission. These rules shall be made public. 7. The Management Board shall define the general orientations for the operation of the Agency. The Management Board shall ensure that the Agency works in accordance with the principles laid down in Articles 12 to 14 and 23. It shall also ensure consistency of the Agency's work with activities conducted by Member States as well as at Community level. 8. Before 30 November each year, the Management Board, having received the Commission's opinion shall adopt the Agency's work programme for the following year. The Management Board shall ensure that the work programme is consistent with the Agency's scope, objectives and tasks as well as with the Community's legislative and policy priorities in the area of network and information security. 9. Before 31 March each year, the Management Board shall adopt the general report on the Agency's activities for the previous year. 10. The financial rules applicable to the Agency shall be adopted by the Management Board after the Commission has been consulted. They may not depart from Commission Regulation (EC, Euratom) No 2343/2002 of 19 November 2002 on the framework Financial Regulation for the bodies referred to in Article 185 of the Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities(18), unless such departure is specifically required for the Agency's operation and the Commission has given its prior consent. Article 7 Executive Director 1. The Agency shall be managed by its Executive Director, who shall be independent in the performance of his/her duties. 2. The Executive Director shall be appointed by the Management Board on the basis of a list of candidates proposed by the Commission after an open competition following publication in the Official Journal of the European Union and elsewhere of a call for expressions of interest. The Executive Director shall be appointed on the grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for network and information security. Before appointment the candidate nominated by the Management Board shall be invited without delay to make a statement before the European Parliament and to answer questions put by members of that institution. The European Parliament or the Council may also ask at any time for a hearing with the Executive Director on any subject related to the Agency's activities. The Executive Director may be removed from office by the Management Board. 3. The term of office of the Executive Director shall be up to five years. 4. The Executive Director shall be responsible for: (a) the day-to-day administration of the Agency; (b) drawing up a proposal for the Agency's work programmes after prior consultation of the Commission and of the Permanent Stakeholders Group; (c) implementing the work programmes and the decisions adopted by the Management Board; (d) ensuring that the Agency carries out its tasks in accordance with the requirements of those using its services, in particular with regard to the adequacy of the services provided; (e) the preparation of the Agency's draft statement of estimates of revenue and expenditure and the execution of its budget; (f) all staff matters; (g) developing and maintaining contact with the European Parliament and for ensuring a regular dialogue with its relevant committees; (h) developing and maintaining contact with the business community and consumers organisations for ensuring a regular dialogue with relevant stakeholders; (i) chairing the Permanent Stakeholders' Group. 5. Each year, the Executive Director shall submit to the Management Board for approval: (a) a draft general report covering all the activities of the Agency in the previous year; (b) a draft work programme. 6. The Executive Director shall, following adoption by the Management Board, forward the work programme to the European Parliament, the Council, the Commission and the Member States and shall have it published. 7. The Executive Director shall, following adoption by the Management Board, transmit the Agency's general report to the European Parliament, the Council, the Commission, the Court of Auditors, the European Economic and Social Committee and the Committee of the Regions and shall have it published. 8. Where necessary and within the Agency's scope, objectives and tasks, the Executive Director may establish, in consultation with the Permanent Stakeholders' Group, ad hoc Working Groups composed of experts. The Management Board shall be duly informed. The procedures regarding in particular the composition, the appointment of the experts by the Executive Director and the operation of the ad hoc Working Groups shall be specified in the Agency's internal rules of operation. Where established, the ad hoc Working Groups shall address in particular technical and scientific matters. Members of the Management Board may not be members of the ad hoc Working Groups. Representatives of the Commission shall be entitled to be present in their meetings. Article 8 Permanent Stakeholders' Group 1. The Executive Director shall establish a Permanent Stakeholders' Group composed of experts representing the relevant stakeholders, such as information and communication technologies industry, consumer groups and academic experts in network and information security. 2. The procedures regarding in particular the number, the composition, the appointment of the members by the Executive Director and the operation of the Group shall be specified in the Agency's internal rules of operation and shall be made public. 3. The Group shall be chaired by the Executive Director. The term of office of its members shall be two-and-a-half years. Members of the Group may not be members of the Management Board. 4. Representatives of the Commission shall be entitled to be present in the meetings and participate in the work of the Group. 5. The Group may advise the Executive Director in the performance of his/her duties under this Regulation, in drawing up a proposal for the Agency's work programme, as well as in ensuring communication with the relevant stakeholders on all issues related to the work programme. SECTION 3 OPERATION Article 9 Work programme The Agency shall base its operations on carrying out the work programme adopted in accordance with Article 6(8). The work programme shall not prevent the Agency from taking up unforeseen activities that fall within its scope and objectives and within the given budget limitations. Article 10 Requests to the Agency 1. Requests for advice and assistance falling within the Agency's scope, objectives and tasks shall be addressed to the Executive Director and accompanied by background information explaining the issue to be addressed. The Executive Director shall inform the Commission of the received requests. If the Agency refuses a request, justification shall be given. 2. Requests referred to in paragraph 1 may be made by: (a) the European Parliament; (b) the Commission; (c) any competent body appointed by a Member State, such as a national regulatory authority as defined in Article 2 of Directive 2002/21/EC. 3. The practical arrangements for the application of paragraphs 1 and 2, regarding in particular the submission, the prioritisation, the follow up as well as the information of the Management Board on the requests to the Agency shall be laid down by the Management Board in the Agency's internal rules of operation. Article 11 Declaration of interests 1. The Executive Director, as well as officials seconded by Member States on a temporary basis shall make a declaration of commitments and a declaration of interests indicating the absence of any direct or indirect interests, which might be considered prejudicial to their independence. Such declarations shall be made in writing. 2. External experts participating in ad hoc Working Groups, shall declare at each meeting any interests, which might be considered prejudicial to their independence in relation to the items on the agenda. Article 12 Transparency 1. The Agency shall ensure that it carries out its activities with a high level of transparency and in accordance with Article 13 and 14. 2. The Agency shall ensure that the public and any interested parties are given objective, reliable and easily accessible information, in particular with regard to the results of its work, where appropriate. It shall also make public the declarations of interest made by the Executive Director and by officials seconded by Member States on a temporary basis, as well as the declarations of interest made by experts in relation to items on the agendas of meetings of the ad hoc Working Groups. 3. The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of the Agency's activities. 4. The Agency shall lay down in its internal rules of operation the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2. Article 13 Confidentiality 1. Without prejudice to Article 14, the Agency shall not divulge to third parties information that it processes or receives for which confidential treatment has been requested. 2. Members of the Management Board, the Executive Director, the members of the Permanent Stakeholders Group, external experts participating in ad hoc Working Groups, and members of the staff of the Agency including officials seconded by Member States on a temporary basis, even after their duties have ceased, are subject to the requirements of confidentiality pursuant to Article 287 of the Treaty. 3. The Agency shall lay down in its internal rules of operation the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2. Article 14 Access to documents 1. Regulation (EC) No 1049/2001 shall apply to documents held by the Agency. 2. The Management Board shall adopt arrangements for implementing the Regulation (EC) No 1049/2001 within six months of the establishment of the Agency. 3. Decisions taken by the Agency pursuant to Article 8 of Regulation (EC) No 1049/2001 may form the subject of a complaint to the Ombudsman or of an action before the Court of Justice of the European Communities, under Articles 195 and 230 of the Treaty respectively. SECTION 4 FINANCIAL PROVISIONS Article 15 Adoption of the budget 1. The revenues of the Agency shall consist of a contribution from the Community and any contribution from third countries participating in the work of the Agency as provided for by Article 24. 2. The expenditure of the Agency shall include the staff, administrative and technical support, infrastructure and operational expenses, and expenses resulting from contracts entered into with third parties. 3. By 1 March each year at the latest, the Executive Director shall draw up a draft statement of estimates of the Agency's revenue and expenditure for the following financial year, and shall forward it to the Management Board, together with a draft establishment plan. 4. Revenue and expenditure shall be in balance. 5. Each year, the Management Board, on the basis of a draft statement of estimates of revenue and expenditure drawn up by the Executive Director, shall produce a statement of estimates of revenue and expenditure for the Agency for the following financial year. 6. This statement of estimates, which shall include a draft establishment plan together with the provisional work programme, shall by 31 March at the latest, be transmitted by the Management Board to the Commission and the States with which the Community has concluded agreements in accordance with Article 24. 7. This statement of estimates shall be forwarded by the Commission to the European Parliament and the Council (both hereinafter referred to as the "budgetary authority") together with the preliminary draft general budget of the European Union. 8. On the basis of this statement of estimates, the Commission shall enter in the preliminary draft general budget of the European Union the estimates it deems necessary for the establishment plan and the amount of the subsidy to be charged to the general budget, which it shall submit to the budgetary authority in accordance with Article 272 of the Treaty. 9. The budgetary authority shall authorise the appropriations for the subsidy to the Agency. The budgetary authority shall adopt the establishment plan for the Agency. 10. The Management Board shall adopt the Agency's budget. It shall become final following final adoption of the general budget of the European Union. Where appropriate, the Agency's budget shall be adjusted accordingly. The Management Board shall forward it without delay to the Commission and the budgetary authority. 11. The Management Board shall, as soon as possible, notify the budgetary authority of its intention to implement any project which may have significant financial implications for the funding of the budget, in particular any projects relating to property such as the rental or purchase of buildings. It shall inform the Commission thereof. Where a branch of the budgetary authority has notified its intention to deliver an opinion, it shall forward its opinion to the Management Board within a period of six weeks from the date of notification of the project. Article 16 Combating fraud 1. In order to combat fraud, corruption and other unlawful activities the provisions of Regulation (EC) No 1073/1999 of the European Parliament and of the Council of 25 May 1999 concerning investigations conducted by the European Anti-fraud Office (OLAF)(19) shall apply without restriction. 2. The Agency shall accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament and the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-fraud Office (OLAF)(20) and shall issue, without delay, the appropriate provisions applicable to all the employees of the Agency. Article 17 Implementation of the budget 1. The Executive Director shall implement the Agency's budget. 2. The Commission's internal auditor shall exercise the same powers over the Agency as over Commission departments. 3. By 1 March at the latest following each financial year, the Agency's accounting officer shall communicate the provisional accounts to the Commission's accounting officer together with a report on the budgetary and financial management for that financial year. The Commission's accounting officer shall consolidate the provisional accounts of the institutions and decentralised bodies in accordance with Article 128 of Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of the European Communities(21) (hereinafter referred to as the general Financial Regulation). 4. By 31 March at the latest following each financial year, the Commission's accounting officer shall transmit the Agency's provisional accounts to the Court of Auditors, together with a report on the budgetary and financial management for that financial year. The report on the budgetary and financial management for the financial year shall also be transmitted to the budgetary authority. 5. On receipt of the Court of Auditor's observations on the Agency's provisional accounts, pursuant to Article 129 of the general Financial Regulation, the Executive Director shall draw up the Agency's final accounts under his/her own responsibility and transmit them to the Management Board for an opinion. 6. The Management Board shall deliver an opinion on the Agency's final accounts. 7. The Executive Director shall, by 1 July at the latest following each financial year, transmit the final accounts to the European Parliament, the Council, the Commission and the Court of Auditors, together with the Management Board's opinion. 8. The final accounts shall be published. 9. The Executive Director shall send the Court of Auditors a reply to its observations by 30 September at the latest. He/she shall also send this reply to the Management Board. 10. The Executive Director shall submit to the European Parliament, at the latter's request, all information necessary for the smooth application of the discharge procedure for the financial year in question, as laid down in Article 146(3) of the general Financial Regulation. 11. The European Parliament, on a recommendation from the Council acting by a qualified majority, shall, before 30 April of year N+2 give a discharge to the Executive Director in respect of the implementation of the budget for the year N. SECTION 5 GENERAL PROVISIONS Article 18 Legal status 1. The Agency shall be a body of the Community. It shall have legal personality. 2. In each of the Member States the Agency shall enjoy the most extensive legal capacity accorded to legal persons under their laws. It may in particular, acquire and dispose of movable and immovable property and be a party to legal proceedings. 3. The Agency shall be represented by its Executive Director. Article 19 Staff 1. The staff of the Agency, including its Executive Director, shall be subject to the rules and regulations applicable to officials and other staff of the European Communities. 2. Without prejudice to Article 6, the powers conferred on the appointing authority by the Staff Regulations and on the authority authorised to conclude contracts by the Conditions of employment of other servants, shall be exercised by the Agency in respect of its own staff. The Agency may also employ officials seconded by Member States on a temporary basis and for a maximum of five years. Article 20 Privileges and immunities The Protocol on the Privileges and Immunities of the European Communities shall apply to the Agency and its staff. Article 21 Liability 1. The contractual liability of the Agency shall be governed by the law applicable to the contract in question. The Court of Justice of the European Communities shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the Agency. 2. In the case of non-contractual liability, the Agency shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by it or its servants in the performance of their duties. The Court of Justice shall have jurisdiction in any dispute relating to compensation for such damage. 3. The personal liability of its servants towards the Agency shall be governed by the relevant conditions applying to the staff of the Agency. Article 22 Languages 1. The provisions laid down in Regulation No 1 of 15 April 1958 determining the languages to be used in the European Economic Community(22) shall apply to the Agency. The Member States and the other bodies appointed by them may address the Agency and receive a reply in the Community language of their choice. 2. The translation services required for the functioning of the Agency shall be provided by the Translation Centre for the Bodies of the European Union(23). Article 23 Protection of personal data When processing data relating to individuals, the Agency shall be subject to the provisions of Regulation (EC) No 45/2001. Article 24 Participation of third countries 1. The Agency shall be open to the participation of countries, which have concluded agreements with the European Community by virtue of which they have adopted and applied Community legislation in the field covered by this Regulation. 2. Arrangements shall be made under the relevant provisions of those agreements, specifying in particular the nature, extent and manner in which these countries will participate in the Agency's work, including provisions relating to participation in the initiatives undertaken by the Agency, financial contributions and staff. SECTION 6 FINAL PROVISIONS Article 25 Review clause 1. By 17 March 2007, the Commission, taking into account the views of all relevant stakeholders, shall carry out an evaluation on the basis of the terms of reference agreed with the Management Board. The Commission shall undertake the evaluation, notably with the aim to determine whether the duration of the Agency should be extended beyond the period specified in Article 27. 2. The evaluation shall assess the impact of the Agency on achieving its objectives and tasks, as well as its working practices and envisage, if necessary, the appropriate proposals. 3. The Management Board shall receive a report on the evaluation and issue recommendations regarding eventual appropriate changes to this Regulation to the Commission. Both the evaluation findings and recommendations shall be forwarded by the Commission to the European Parliament and the Council and shall be made public. Article 26 Administrative control The operations of the Agency are subject to the supervision of the Ombudsman in accordance with the provisions of Article 195 of the Treaty. Article 27 Duration The Agency shall be established from 14 March 2004 for a period of five years. Article 28 Entry into force This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Strasbourg, 10 March 2004. For the European Parliament The President P. Cox For the Council The President D. Roche (1) OJ C 220, 16.9.2003, p. 33. (2) Opinion of the European Parliament of 19 November 2003 (not yet published in the Official Journal) and Council Decision of 19 February 2004. (3) OJ L 108, 24.4.2002, p. 33. (4) Directive 2002/20/EC of the European Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks and services (Authorisation Directive) (OJ L 108, 24.4.2002, p. 21). (5) Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users' rights relating to electronic communications networks and services (Universal Service Directive) (OJ L 108, 24.4.2002, p. 51). (6) Directive 2002/19/EC of the European Parliament and of the Council of 7 March 2002 on access to, and interconnection of, electronic communications networks and associated facilities (Access Directive) (OJ L 108, 24.4.2002, p. 7). (7) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37). (8) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (OJ L 13, 19.1.2000, p. 12). (9) Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce) (OJ L 178, 17.7.2000, p. 1). (10) OJ C 48, 28.2.2003, p. 2. (11) Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector (OJ L 24, 30.1.1998, p. 1). Directive repealed and replaced by Directive 2002/58/EC. (12) OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1). (13) OJ L 200, 30.7.2002, p. 38. (14) OJ L 204, 21.7.1998, p. 37. Directive as amended by Directive 98/48/EC (OJ L 217, 5.8.1998, p. 18). (15) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). (16) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). (17) OJ C 48, 28.2.2003, p. 1. (18) OJ L 357, 31.12.2002, p. 72. (19) OJ L 136, 31.5.1999, p. 1. (20) OJ L 136, 31.5.1999, p. 15. (21) OJ L 248, 16.9.2002, p. 1. (22) OJ 17, 6.10.1958, p. 385/58. Regulation as last amended by the 1994 Act of Accession. (23) Council Regulation (EC) No 2965/94 of 28 November 1994 setting up a Translation Centre for bodies of the European Union (OJ L 314, 7.12.1994, p. 1). Regulation as last amended by Regulation (EC) No 1645/2003 (OJ L 245, 29.9.2003, p. 13).
Regulation (EC) No 460/2004 of the European Parliament and of the Council
of 10 March 2004
establishing the European Network and Information Security Agency
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community, and in particular Article 95 thereof,
Having regard to the proposal from the Commission,
Having regard to the opinion of the European Economic and Social Committee(1),
After consulting the Committee of the Regions,
Acting in accordance with the procedure laid down in Article 251 of the Treaty(2),
Whereas:
(1) Communication networks and information systems have become an essential factor in economic and societal development. Computing and networking are now becoming ubiquitous utilities in the same way as electricity or water supply already are. The security of communication networks and information systems, in particular their availability, is therefore of increasing concern to society not least because of the possibility of problems in key information systems, due to system complexity, accidents, mistakes and attacks, that may have consequences for the physical infrastructures which deliver services critical to the well-being of EU citizens.
(2) The growing number of security breaches has already generated substantial financial damage, has undermined user confidence and has been detrimental to the development of e-commerce. Individuals, public administrations and businesses have reacted by deploying security technologies and security management procedures. Member States have taken several supporting measures, such as information campaigns and research projects, to enhance network and information security throughout society.
(3) The technical complexity of networks and information systems, the variety of products and services that are interconnected, and the huge number of private and public actors that bear their own responsibility risk undermining the smooth functioning of the Internal Market.
(4) Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (the Framework Directive)(3) lays down the tasks of national regulatory authorities, which include cooperating with each other and the Commission in a transparent manner to ensure the development of consistent regulatory practice, contributing to ensuring a high level of protection of personal data and privacy, and ensuring that the integrity and security of public communications networks are ensured.
(5) Present Community legislation also includes Directive 2002/20/EC(4), Directive 2002/22/EC(5), Directive 2002/19/EC(6), Directive 2002/58/EC(7), Directive 1999/93/EC(8), Directive 2000/31/EC(9), as well as the Council Resolution of 18 February 2003 on the implementation of the eEurope 2005 Action Plan(10).
(6) Directive 2002/20/EC entitles Member States to attach to the general authorisation, conditions regarding the security of public networks against unauthorised access in accordance with Directive 97/66/EC(11).
(7) Directive 2002/22/EC requires that Member States take necessary steps to ensure the integrity and availability of the public telephone networks at fixed locations and that undertakings providing publicly available telephone services at fixed locations take all reasonable steps to ensure uninterrupted access to emergency services.
(8) Directive 2002/58/EC requires a provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard security of its services and also requires the confidentiality of the communications and related traffic data. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(12), requires Member States to provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing.
(9) Directive 2002/21/EC and Directive 1999/93/EC contain provisions on standards that are to be published in the Official Journal of the European Union. Member States also use standards from international bodies as well as de facto standards developed by the global industry. It is necessary for the Commission and the Member States to be able to track those standards which meet the requirements of Community legislation.
(10) These internal market measures require different forms of technical and organisational applications by the Member States and the Commission. These are technically complex tasks with no single, self-evident solutions. The heterogeneous application of these requirements can lead to inefficient solutions and create obstacles to the internal market. This calls for the creation of a centre of expertise at European level providing guidance, advice, and when called upon, with assistance within its objectives, which may be relied upon by the European Parliament, the Commission or competent bodies appointed by the Member States. National Regulatory Authorities, designated under Directive 2002/21/EC, can be appointed by a Member State as a competent body.
(11) The establishment of a European agency, the European Network and Information Security Agency, hereinafter referred to as "the Agency", operating as a point of reference and establishing confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operation, and its diligence in performing the tasks assigned to it, would respond to these needs. The Agency should build on national and Community efforts and therefore perform its tasks in full cooperation with the Member States and be open to contacts with industry and other relevant stakeholders. As electronic networks, to a large extent, are privately owned, the Agency should build on the input from and cooperation with the private sector.
(12) The exercise of the Agency's tasks should not interfere with the competencies and should not pre-empt, impede or overlap with the relevant powers and tasks conferred on:
- the national regulatory authorities as set out in the Directives relating to the electronic communications networks and services, as well as on the European Regulators Group for Electronic Communications Networks and Services established by Commission Decision 2002/627/EC(13) and the Communications Committee referred to in Directive 2002/21/EC,
- the European standardisation bodies, the national standardisation bodies and the Standing Committee as set out in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society Services(14),
- the supervisory authorities of the Member States relating to the protection of individuals with the regard to the processing of personal data and on the free movement of such data.
(13) To understand better the challenges in the network and information security field, there is a need for the Agency to analyse current and emerging risks and for that purpose the Agency may collect appropriate information, in particular through questionnaires, without imposing new obligations on the private sector or the Member States to generate data. Emerging risks should be understood as issues already visible as possible future risks to network and information security.
(14) Ensuring confidence in networks and information systems requires that individuals, businesses and public administrations are sufficiently informed, educated and trained in the field of network and information security. Public authorities have a role in increasing awareness by informing the general public, small and medium-sized enterprises, corporate companies, public administrations, schools and universities. These measures need to be further developed. An increased information exchange between Member States will facilitate such awareness raising actions. The Agency should provide advice on best practices in awareness-raising, training and courses.
(15) The Agency should have the task of contributing to a high level of network and information security within the Community and of developing a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the European Union, thus contributing to the smooth functioning of the internal market.
(16) Efficient security policies should be based on well-developed risk assessment methods, both in the public and private sector. Risk assessment methods and procedures are used at different levels with no common practice on their efficient application. The promotion and development of best practices for risk assessment and for interoperable risk management solutions within public and private sector organisations will increase the security level of networks and information systems in Europe.
(17) The work of the Agency should utilise ongoing research, development and technological assessment activities, in particular those carried out by the different Community research initiatives.
(18) Where appropriate and useful for fulfilling its scope, objectives and tasks, the Agency could share experience and general information with bodies and agencies created under European Union law and dealing with network and information security.
(19) Network and information security problems are global issues. There is a need for closer cooperation at global level to improve security standards, improve information, and promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security. Efficient cooperation with third countries and the global community has become a task also at European level. To this end, the Agency should contribute to Community efforts to cooperate with third countries and, where appropriate, with international organisations.
(20) In its activities the Agency should pay attention to small and medium-sized enterprises.
(21) In order effectively to ensure the accomplishment of the tasks of the Agency, the Member States and the Commission should be represented on a Management Board entrusted with the necessary powers to establish the budget, verify its execution, adopt the appropriate financial rules, establish transparent working procedures for decision making by the Agency, approve the Agency's work programme, adopt its own rules of procedure and the Agency's internal rules of operation, appoint and remove the Executive Director. The Management Board should ensure that the Agency carries out its tasks under conditions which enable it to serve in accordance with this Regulation.
(22) A Permanent Stakeholders' Group would be helpful, in order to maintain a regular dialogue with the private sector, consumers organisations and other relevant stakeholders. The Permanent Stakeholders' Group, established and chaired by the Executive Director, should focus on issues relevant to all stakeholders and bring them to the attention of the Executive Director. The Executive Director may, where appropriate and according to the agenda of the meetings, invite representatives of the European Parliament and from other relevant bodies to take part in the meetings of the Group.
(23) The smooth functioning of the Agency requires that its Executive Director is appointed on the grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for network and information security and that he/she performs his/her duties with complete independence and flexibility as to the organisation of the internal functioning of the Agency. To this end, the Executive Director should prepare a proposal for the Agency's work programme, after prior consultation of the Commission and of the Permanent Stakeholders' Group, and take all necessary steps to ensure the proper accomplishment of the working programme of the Agency, should prepare each year a draft general report to be submitted to the Management Board, should draw up a draft statement of estimates of revenue and expenditure of the Agency and should implement the budget.
(24) The Executive Director should have the possibility to set up ad hoc Working Groups to address in particular scientific and technical matters. In establishing the ad hoc Working Groups the Executive Director should seek input from and mobilise the relevant expertise of private sector. The ad hoc Working Groups should enable the Agency to have access to the most updated information available in order to be able to respond to the security challenges posed by the developing information society. The Agency should ensure that its ad hoc Working Groups are competent and representative and that they include, as appropriate according to the specific issues, representation of the public administrations of the Member States, of the private sector including industry, of the users and of academic experts in network and information security. The Agency may, if necessary, add to the Working Groups independent experts recognised as competent in the field concerned. The experts who participate in the ad hoc Working Groups organised by the Agency should not belong to the Agency's staff. Their expenses should be met by the Agency in accordance with its internal rules and in conformity with the existing Financial Regulations.
(25) The Agency should apply the relevant Community legislation concerning public access to documents as set out in Regulation (EC) No 1049/2001(15) of the European Parliament and of the Council and the protection of individuals with regard to the processing of personal data as set out in Regulation (EC) No 45/2001(16) of the European Parliament and of the Council.
(26) Within its scope, its objectives and in the performance of its tasks, the Agency should comply in particular with the provisions applicable to the Community institutions, as well as the national legislation regarding the treatment of sensitive documents.
(27) In order to guarantee the full autonomy and independence of the Agency, it is considered necessary to grant it an autonomous budget whose revenue comes essentially from a contribution from the Community. The Community budgetary procedure remains applicable as far as any subsidies chargeable to the general budget of the European Union are concerned. Moreover, the Court of Auditors should undertake the auditing of accounts.
(28) Where necessary and on the basis of arrangements to be concluded, the Agency may have access to the interpretation services provided by the Directorate General for Interpretation (DGI) of the Commission, or by Interpretation Services of other Community institutions.
(29) The Agency should be initially established for a limited period and its operations evaluated in order to determine whether the duration of its operations should be extended,
HAVE ADOPTED THIS REGULATION:
SECTION 1 SCOPE, OBJECTIVES AND TASKS
Article 1
Scope
1. For the purpose of ensuring a high and effective level of network and information security within the Community and in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, thus contributing to the smooth functioning of the internal market, a European Network and Information Security Agency is hereby established, hereinafter referred to as "the Agency".
2. The Agency shall assist the Commission and the Member States, and in consequence cooperate with the business community, in order to help them to meet the requirements of network and information security, thereby ensuring the smooth functioning of the internal market, including those set out in present and future Community legislation, such as in the Directive 2002/21/EC.
3. The objectives and the tasks of the Agency shall be without prejudice to the competencies of the Member States regarding network and information security which fall outside the scope of the EC Treaty, such as those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the issues relate to State security matters) and the activities of the State in areas of criminal law.
Article 2
Objectives
1. The Agency shall enhance the capability of the Community, the Member States and, as a consequence, the business community to prevent, address and to respond to network and information security problems.
2. The Agency shall provide assistance and deliver advice to the Commission and the Member States on issues related to network and information security falling within its competencies as set out in this Regulation.
3. Building on national and Community efforts, the Agency shall develop a high level of expertise. The Agency shall use this expertise to stimulate broad cooperation between actors from the public and private sectors.
4. The Agency shall assist the Commission, where called upon, in the technical preparatory work for updating and developing Community legislation in the field of network and information security.
Article 3
Tasks
In order to ensure that the scope and objectives set out in Articles 1 and 2 are complied with and met, the Agency shall perform the following tasks:
(a) collect appropriate information to analyse current and emerging risks and, in particular at the European level, those which could produce an impact on the resilience and the availability of electronic communications networks and on the authenticity, integrity and confidentiality of the information accessed and transmitted through them, and provide the results of the analysis to the Member States and the Commission;
(b) provide the European Parliament, the Commission, European bodies or competent national bodies appointed by the Member States with advice, and when called upon, with assistance within its objectives;
(c) enhance cooperation between different actors operating in the field of network and information security, inter alia, by organising, on a regular basis, consultation with industry, universities, as well as other sectors concerned and by establishing networks of contacts for Community bodies, public sector bodies appointed by the Member States, private sector and consumer bodies;
(d) facilitate cooperation between the Commission and the Member States in the development of common methodologies to prevent, address and respond to network and information security issues;
(e) contribute to awareness raising and the availability of timely, objective and comprehensive information on network and information security issues for all users by, inter alia, promoting exchanges of current best practices, including on methods of alerting users, and seeking synergy between public and private sector initiatives;
(f) assist the Commission and the Member States in their dialogue with industry to address security-related problems in the hardware and software products;
(g) track the development of standards for products and services on network and information security;
(h) advise the Commission on research in the area of network and information security as well as on the effective use of risk prevention technologies;
(i) promote risk assessment activities, interoperable risk management solutions and studies on prevention management solutions within public and private sector organisations;
(j) contribute to Community efforts to cooperate with third countries and, where appropriate, with international organisations to promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security;
(k) express independently its own conclusions, orientations and give advice on matters within its scope and objectives.
Article 4
Definitions
For the purposes of this Regulation the following definitions shall apply:
(a) "network" means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed;
(b) "information system" means computers and electronic communication networks, as well as electronic data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance;
(c) "network and information security" means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems;
(d) "availability" means that data is accessible and services are operational;
(e) "authentication" means the confirmation of an asserted identity of entities or users;
(f) "data integrity" means the confirmation that data which has been sent, received, or stored are complete and unchanged;
(g) "data confidentiality" means the protection of communications or stored data against interception and reading by unauthorised persons;
(h) "risk" means a function of the probability that a vulnerability in the system affects authentication or the availability, authenticity, integrity or confidentiality of the data processed or transferred and the severity of that effect, consequential to the intentional or non-intentional use of such a vulnerability;
(i) "risk assessment" means a scientific and technologically based process consisting of four steps, threats identification, threat characterisation, exposure assessment and risk characterisation;
(j) "risk management" means the process, distinct from risk assessment, of weighing policy alternatives in consultation with interested parties, considering risk assessment and other legitimate factors, and, if need be, selecting appropriate prevention and control options;
(k) "culture of network and information security" has the same meaning as that set out in the OECD Guidelines for the security of Information Systems and Networks of 25 July 2002 and the Council Resolution of 18 February 2003 on a European approach towards a culture of network and information security(17).
SECTION 2 ORGANISATION
Article 5
Bodies of the Agency
The Agency shall comprise:
(a) a Management Board;
(b) an Executive Director, and
(c) a Permanent Stakeholders' Group.
Article 6
Management Board
1. The Management Board shall be composed of one representative of each Member State, three representatives appointed by the Commission, as well as three representatives, proposed by the Commission and appointed by the Council, without the right to vote, each of whom represents one of the following groups:
(a) information and communication technologies industry;
(b) consumer groups;
(c) academic experts in network and information security.
2. Board members shall be appointed on the basis of their degree of relevant experience and expertise in the field of network and information security. Representatives may be replaced by alternates, appointed at the same time.
3. The Management Board shall elect its Chairperson and a Deputy Chairperson from among its members for a two-and-a-half-year period, which shall be renewable. The Deputy Chairperson shall ex-officio replace the Chairperson in the event of the Chairperson being unable to attend to his/her duties.
4. The Management Board shall adopt its rules of procedure, on the basis of a proposal by the Commission. Unless otherwise provided, the Management Board shall take its decisions by a majority of its members with the right to vote.
A two-thirds majority of all members with the right to vote is required for the adoption of its rules of procedure, the Agency's internal rules of operation, the budget, the annual work programme, as well as the appointment and the removal of the Executive Director.
5. Meetings of the Management Board shall be convened by its Chairperson. The Management Board shall hold an ordinary meeting twice a year. It shall also hold extraordinary meetings at the instance of the Chairperson or at the request of at least a third of its members with the right to vote. The Executive Director shall take part in the meetings of the Management Board, without voting rights, and shall provide the Secretariat.
6. The Management Board shall adopt the Agency's internal rules of operation on the basis of a proposal by the Commission. These rules shall be made public.
7. The Management Board shall define the general orientations for the operation of the Agency. The Management Board shall ensure that the Agency works in accordance with the principles laid down in Articles 12 to 14 and 23. It shall also ensure consistency of the Agency's work with activities conducted by Member States as well as at Community level.
8. Before 30 November each year, the Management Board, having received the Commission's opinion shall adopt the Agency's work programme for the following year. The Management Board shall ensure that the work programme is consistent with the Agency's scope, objectives and tasks as well as with the Community's legislative and policy priorities in the area of network and information security.
9. Before 31 March each year, the Management Board shall adopt the general report on the Agency's activities for the previous year.
10. The financial rules applicable to the Agency shall be adopted by the Management Board after the Commission has been consulted. They may not depart from Commission Regulation (EC, Euratom) No 2343/2002 of 19 November 2002 on the framework Financial Regulation for the bodies referred to in Article 185 of the Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities(18), unless such departure is specifically required for the Agency's operation and the Commission has given its prior consent.
Article 7
Executive Director
1. The Agency shall be managed by its Executive Director, who shall be independent in the performance of his/her duties.
2. The Executive Director shall be appointed by the Management Board on the basis of a list of candidates proposed by the Commission after an open competition following publication in the Official Journal of the European Union and elsewhere of a call for expressions of interest. The Executive Director shall be appointed on the grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for network and information security. Before appointment the candidate nominated by the Management Board shall be invited without delay to make a statement before the European Parliament and to answer questions put by members of that institution. The European Parliament or the Council may also ask at any time for a hearing with the Executive Director on any subject related to the Agency's activities. The Executive Director may be removed from office by the Management Board.
3. The term of office of the Executive Director shall be up to five years.
4. The Executive Director shall be responsible for:
(a) the day-to-day administration of the Agency;
(b) drawing up a proposal for the Agency's work programmes after prior consultation of the Commission and of the Permanent Stakeholders Group;
(c) implementing the work programmes and the decisions adopted by the Management Board;
(d) ensuring that the Agency carries out its tasks in accordance with the requirements of those using its services, in particular with regard to the adequacy of the services provided;
(e) the preparation of the Agency's draft statement of estimates of revenue and expenditure and the execution of its budget;
(f) all staff matters;
(g) developing and maintaining contact with the European Parliament and for ensuring a regular dialogue with its relevant committees;
(h) developing and maintaining contact with the business community and consumers organisations for ensuring a regular dialogue with relevant stakeholders;
(i) chairing the Permanent Stakeholders' Group.
5. Each year, the Executive Director shall submit to the Management Board for approval:
(a) a draft general report covering all the activities of the Agency in the previous year;
(b) a draft work programme.
6. The Executive Director shall, following adoption by the Management Board, forward the work programme to the European Parliament, the Council, the Commission and the Member States and shall have it published.
7. The Executive Director shall, following adoption by the Management Board, transmit the Agency's general report to the European Parliament, the Council, the Commission, the Court of Auditors, the European Economic and Social Committee and the Committee of the Regions and shall have it published.
8. Where necessary and within the Agency's scope, objectives and tasks, the Executive Director may establish, in consultation with the Permanent Stakeholders' Group, ad hoc Working Groups composed of experts. The Management Board shall be duly informed. The procedures regarding in particular the composition, the appointment of the experts by the Executive Director and the operation of the ad hoc Working Groups shall be specified in the Agency's internal rules of operation.
Where established, the ad hoc Working Groups shall address in particular technical and scientific matters.
Members of the Management Board may not be members of the ad hoc Working Groups. Representatives of the Commission shall be entitled to be present in their meetings.
Article 8
Permanent Stakeholders' Group
1. The Executive Director shall establish a Permanent Stakeholders' Group composed of experts representing the relevant stakeholders, such as information and communication technologies industry, consumer groups and academic experts in network and information security.
2. The procedures regarding in particular the number, the composition, the appointment of the members by the Executive Director and the operation of the Group shall be specified in the Agency's internal rules of operation and shall be made public.
3. The Group shall be chaired by the Executive Director. The term of office of its members shall be two-and-a-half years. Members of the Group may not be members of the Management Board.
4. Representatives of the Commission shall be entitled to be present in the meetings and participate in the work of the Group.
5. The Group may advise the Executive Director in the performance of his/her duties under this Regulation, in drawing up a proposal for the Agency's work programme, as well as in ensuring communication with the relevant stakeholders on all issues related to the work programme.
SECTION 3 OPERATION
Article 9
Work programme
The Agency shall base its operations on carrying out the work programme adopted in accordance with Article 6(8). The work programme shall not prevent the Agency from taking up unforeseen activities that fall within its scope and objectives and within the given budget limitations.
Article 10
Requests to the Agency
1. Requests for advice and assistance falling within the Agency's scope, objectives and tasks shall be addressed to the Executive Director and accompanied by background information explaining the issue to be addressed. The Executive Director shall inform the Commission of the received requests. If the Agency refuses a request, justification shall be given.
2. Requests referred to in paragraph 1 may be made by:
(a) the European Parliament;
(b) the Commission;
(c) any competent body appointed by a Member State, such as a national regulatory authority as defined in Article 2 of Directive 2002/21/EC.
3. The practical arrangements for the application of paragraphs 1 and 2, regarding in particular the submission, the prioritisation, the follow up as well as the information of the Management Board on the requests to the Agency shall be laid down by the Management Board in the Agency's internal rules of operation.
Article 11
Declaration of interests
1. The Executive Director, as well as officials seconded by Member States on a temporary basis shall make a declaration of commitments and a declaration of interests indicating the absence of any direct or indirect interests, which might be considered prejudicial to their independence. Such declarations shall be made in writing.
2. External experts participating in ad hoc Working Groups, shall declare at each meeting any interests, which might be considered prejudicial to their independence in relation to the items on the agenda.
Article 12
Transparency
1. The Agency shall ensure that it carries out its activities with a high level of transparency and in accordance with Article 13 and 14.
2. The Agency shall ensure that the public and any interested parties are given objective, reliable and easily accessible information, in particular with regard to the results of its work, where appropriate. It shall also make public the declarations of interest made by the Executive Director and by officials seconded by Member States on a temporary basis, as well as the declarations of interest made by experts in relation to items on the agendas of meetings of the ad hoc Working Groups.
3. The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of the Agency's activities.
4. The Agency shall lay down in its internal rules of operation the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.
Article 13
Confidentiality
1. Without prejudice to Article 14, the Agency shall not divulge to third parties information that it processes or receives for which confidential treatment has been requested.
2. Members of the Management Board, the Executive Director, the members of the Permanent Stakeholders Group, external experts participating in ad hoc Working Groups, and members of the staff of the Agency including officials seconded by Member States on a temporary basis, even after their duties have ceased, are subject to the requirements of confidentiality pursuant to Article 287 of the Treaty.
3. The Agency shall lay down in its internal rules of operation the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.
Article 14
Access to documents
1. Regulation (EC) No 1049/2001 shall apply to documents held by the Agency.
2. The Management Board shall adopt arrangements for implementing the Regulation (EC) No 1049/2001 within six months of the establishment of the Agency.
3. Decisions taken by the Agency pursuant to Article 8 of Regulation (EC) No 1049/2001 may form the subject of a complaint to the Ombudsman or of an action before the Court of Justice of the European Communities, under Articles 195 and 230 of the Treaty respectively.
SECTION 4 FINANCIAL PROVISIONS
Article 15
Adoption of the budget
1. The revenues of the Agency shall consist of a contribution from the Community and any contribution from third countries participating in the work of the Agency as provided for by Article 24.
2. The expenditure of the Agency shall include the staff, administrative and technical support, infrastructure and operational expenses, and expenses resulting from contracts entered into with third parties.
3. By 1 March each year at the latest, the Executive Director shall draw up a draft statement of estimates of the Agency's revenue and expenditure for the following financial year, and shall forward it to the Management Board, together with a draft establishment plan.
4. Revenue and expenditure shall be in balance.
5. Each year, the Management Board, on the basis of a draft statement of estimates of revenue and expenditure drawn up by the Executive Director, shall produce a statement of estimates of revenue and expenditure for the Agency for the following financial year.
6. This statement of estimates, which shall include a draft establishment plan together with the provisional work programme, shall by 31 March at the latest, be transmitted by the Management Board to the Commission and the States with which the Community has concluded agreements in accordance with Article 24.
7. This statement of estimates shall be forwarded by the Commission to the European Parliament and the Council (both hereinafter referred to as the "budgetary authority") together with the preliminary draft general budget of the European Union.
8. On the basis of this statement of estimates, the Commission shall enter in the preliminary draft general budget of the European Union the estimates it deems necessary for the establishment plan and the amount of the subsidy to be charged to the general budget, which it shall submit to the budgetary authority in accordance with Article 272 of the Treaty.
9. The budgetary authority shall authorise the appropriations for the subsidy to the Agency.
The budgetary authority shall adopt the establishment plan for the Agency.
10. The Management Board shall adopt the Agency's budget. It shall become final following final adoption of the general budget of the European Union. Where appropriate, the Agency's budget shall be adjusted accordingly. The Management Board shall forward it without delay to the Commission and the budgetary authority.
11. The Management Board shall, as soon as possible, notify the budgetary authority of its intention to implement any project which may have significant financial implications for the funding of the budget, in particular any projects relating to property such as the rental or purchase of buildings. It shall inform the Commission thereof.
Where a branch of the budgetary authority has notified its intention to deliver an opinion, it shall forward its opinion to the Management Board within a period of six weeks from the date of notification of the project.
Article 16
Combating fraud
1. In order to combat fraud, corruption and other unlawful activities the provisions of Regulation (EC) No 1073/1999 of the European Parliament and of the Council of 25 May 1999 concerning investigations conducted by the European Anti-fraud Office (OLAF)(19) shall apply without restriction.
2. The Agency shall accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament and the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-fraud Office (OLAF)(20) and shall issue, without delay, the appropriate provisions applicable to all the employees of the Agency.
Article 17
Implementation of the budget
1. The Executive Director shall implement the Agency's budget.
2. The Commission's internal auditor shall exercise the same powers over the Agency as over Commission departments.
3. By 1 March at the latest following each financial year, the Agency's accounting officer shall communicate the provisional accounts to the Commission's accounting officer together with a report on the budgetary and financial management for that financial year. The Commission's accounting officer shall consolidate the provisional accounts of the institutions and decentralised bodies in accordance with Article 128 of Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of the European Communities(21) (hereinafter referred to as the general Financial Regulation).
4. By 31 March at the latest following each financial year, the Commission's accounting officer shall transmit the Agency's provisional accounts to the Court of Auditors, together with a report on the budgetary and financial management for that financial year. The report on the budgetary and financial management for the financial year shall also be transmitted to the budgetary authority.
5. On receipt of the Court of Auditor's observations on the Agency's provisional accounts, pursuant to Article 129 of the general Financial Regulation, the Executive Director shall draw up the Agency's final accounts under his/her own responsibility and transmit them to the Management Board for an opinion.
6. The Management Board shall deliver an opinion on the Agency's final accounts.
7. The Executive Director shall, by 1 July at the latest following each financial year, transmit the final accounts to the European Parliament, the Council, the Commission and the Court of Auditors, together with the Management Board's opinion.
8. The final accounts shall be published.
9. The Executive Director shall send the Court of Auditors a reply to its observations by 30 September at the latest. He/she shall also send this reply to the Management Board.
10. The Executive Director shall submit to the European Parliament, at the latter's request, all information necessary for the smooth application of the discharge procedure for the financial year in question, as laid down in Article 146(3) of the general Financial Regulation.
11. The European Parliament, on a recommendation from the Council acting by a qualified majority, shall, before 30 April of year N+2 give a discharge to the Executive Director in respect of the implementation of the budget for the year N.
SECTION 5 GENERAL PROVISIONS
Article 18
Legal status
1. The Agency shall be a body of the Community. It shall have legal personality.
2. In each of the Member States the Agency shall enjoy the most extensive legal capacity accorded to legal persons under their laws. It may in particular, acquire and dispose of movable and immovable property and be a party to legal proceedings.
3. The Agency shall be represented by its Executive Director.
Article 19
Staff
1. The staff of the Agency, including its Executive Director, shall be subject to the rules and regulations applicable to officials and other staff of the European Communities.
2. Without prejudice to Article 6, the powers conferred on the appointing authority by the Staff Regulations and on the authority authorised to conclude contracts by the Conditions of employment of other servants, shall be exercised by the Agency in respect of its own staff.
The Agency may also employ officials seconded by Member States on a temporary basis and for a maximum of five years.
Article 20
Privileges and immunities
The Protocol on the Privileges and Immunities of the European Communities shall apply to the Agency and its staff.
Article 21
Liability
1. The contractual liability of the Agency shall be governed by the law applicable to the contract in question.
The Court of Justice of the European Communities shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the Agency.
2. In the case of non-contractual liability, the Agency shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by it or its servants in the performance of their duties.
The Court of Justice shall have jurisdiction in any dispute relating to compensation for such damage.
3. The personal liability of its servants towards the Agency shall be governed by the relevant conditions applying to the staff of the Agency.
Article 22
Languages
1. The provisions laid down in Regulation No 1 of 15 April 1958 determining the languages to be used in the European Economic Community(22) shall apply to the Agency. The Member States and the other bodies appointed by them may address the Agency and receive a reply in the Community language of their choice.
2. The translation services required for the functioning of the Agency shall be provided by the Translation Centre for the Bodies of the European Union(23).
Article 23
Protection of personal data
When processing data relating to individuals, the Agency shall be subject to the provisions of Regulation (EC) No 45/2001.
Article 24
Participation of third countries
1. The Agency shall be open to the participation of countries, which have concluded agreements with the European Community by virtue of which they have adopted and applied Community legislation in the field covered by this Regulation.
2. Arrangements shall be made under the relevant provisions of those agreements, specifying in particular the nature, extent and manner in which these countries will participate in the Agency's work, including provisions relating to participation in the initiatives undertaken by the Agency, financial contributions and staff.
SECTION 6 FINAL PROVISIONS
Article 25
Review clause
1. By 17 March 2007, the Commission, taking into account the views of all relevant stakeholders, shall carry out an evaluation on the basis of the terms of reference agreed with the Management Board. The Commission shall undertake the evaluation, notably with the aim to determine whether the duration of the Agency should be extended beyond the period specified in Article 27.
2. The evaluation shall assess the impact of the Agency on achieving its objectives and tasks, as well as its working practices and envisage, if necessary, the appropriate proposals.
3. The Management Board shall receive a report on the evaluation and issue recommendations regarding eventual appropriate changes to this Regulation to the Commission. Both the evaluation findings and recommendations shall be forwarded by the Commission to the European Parliament and the Council and shall be made public.
Article 26
Administrative control
The operations of the Agency are subject to the supervision of the Ombudsman in accordance with the provisions of Article 195 of the Treaty.
Article 27
Duration
The Agency shall be established from 14 March 2004 for a period of five years.
Article 28
Entry into force
This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Strasbourg, 10 March 2004.
For the European Parliament
The President
P. Cox
For the Council
The President
D. Roche
(1) OJ C 220, 16.9.2003, p. 33.
(2) Opinion of the European Parliament of 19 November 2003 (not yet published in the Official Journal) and Council Decision of 19 February 2004.
(3) OJ L 108, 24.4.2002, p. 33.
(4) Directive 2002/20/EC of the European Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks and services (Authorisation Directive) (OJ L 108, 24.4.2002, p. 21).
(5) Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users' rights relating to electronic communications networks and services (Universal Service Directive) (OJ L 108, 24.4.2002, p. 51).
(6) Directive 2002/19/EC of the European Parliament and of the Council of 7 March 2002 on access to, and interconnection of, electronic communications networks and associated facilities (Access Directive) (OJ L 108, 24.4.2002, p. 7).
(7) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
(8) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (OJ L 13, 19.1.2000, p. 12).
(9) Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce) (OJ L 178, 17.7.2000, p. 1).
(10) OJ C 48, 28.2.2003, p. 2.
(11) Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector (OJ L 24, 30.1.1998, p. 1). Directive repealed and replaced by Directive 2002/58/EC.
(12) OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1).
(13) OJ L 200, 30.7.2002, p. 38.
(14) OJ L 204, 21.7.1998, p. 37. Directive as amended by Directive 98/48/EC (OJ L 217, 5.8.1998, p. 18).
(15) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(16) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
(17) OJ C 48, 28.2.2003, p. 1.
(18) OJ L 357, 31.12.2002, p. 72.
(19) OJ L 136, 31.5.1999, p. 1.
(20) OJ L 136, 31.5.1999, p. 15.
(21) OJ L 248, 16.9.2002, p. 1.
(22) OJ 17, 6.10.1958, p. 385/58. Regulation as last amended by the 1994 Act of Accession.
(23) Council Regulation (EC) No 2965/94 of 28 November 1994 setting up a Translation Centre for bodies of the European Union (OJ L 314, 7.12.1994, p. 1). Regulation as last amended by Regulation (EC) No 1645/2003 (OJ L 245, 29.9.2003, p. 13).